AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. At Pi extension runtime, the package registers workflow tools, commands, UI hooks, optional web research, and user-requested git worktree isolation. No install-time execution or unconsented mutation of another agent control surface was found.
Decision evidence
public snapshot- `extensions/workflow.ts` registers a Pi extension on `session_start`.
- `src/web-tools.ts` exposes `web_fetch` for caller-supplied URLs and Bing search.
- `src/workflow.ts` imports `node:vm` for workflow-script handling.
- `src/worktree.ts` can invoke `git worktree` when agent isolation is requested.
- `package.json` has no preinstall/install/postinstall/prepare hook; only `prepublishOnly` builds.
- No source evidence of environment-variable harvesting or credential exfiltration.
- No fixed external endpoint beyond `https://www.bing.com/search`; fetch targets are tool inputs.
- State writes target package-aligned `.pi/workflows` paths; agent definitions are read, not mutated.
- Git commands use `execFile` with fixed executable and argument arrays.
Source & flagged code
4 flagged · loading source`extensions/workflow.ts` registers a Pi extension on `session_start`.
extensions/workflow.tsView on unpkg`src/web-tools.ts` exposes `web_fetch` for caller-supplied URLs and Bing search.
src/web-tools.tsView on unpkg`src/workflow.ts` imports `node:vm` for workflow-script handling.
src/workflow.tsView on unpkg`src/worktree.ts` can invoke `git worktree` when agent isolation is requested.
src/worktree.tsView on unpkg